1. Field of the Invention
This invention relates to data backup and restore systems in a computer system. Particularly, this invention relates to handling data securely in data backup and restore systems operating on networked computer systems.
2. Description of the Related Art
A typical data backup and restore system, such as the IBM's Tivoli Storage Manager (TSM) can provide client-server-based backup and recovery for client objects (e.g. files). The system stores object data in a storage repository and maintains metadata related to each object in a database. The storage of the data and metadata relies on a transactional system in order to ensure referential integrity of the database.
As backup objects are manipulated by such a system, data is written, deleted, and/or moved (which is essentially a combination of writing and deleting). These data operations occur to process the backup objects into, out of and within a backup repository that is managed by the backup system. In a conventional backup system, it is sufficient to only “logically” delete data such that only the references to physical storage locations of the data of the backup objects are erased from the system (file system and/or backup system). This ordinary deletion process means that the data may be recoverable up until the moment that new data is written over the identical location. This can be a desirable byproduct in many cases, but it is undesirable when data security is important.
Recently, increased concern with data security has led to the additional requirement that data be securely deleted (i.e., destroyed) when it is deleted (or moved, which constitutes copying the data to a new storage location and deleting from the original location). The typical life cycle for a backup object begins when the object is first inserted into the backup server. Over time, the backup object might subsequently be moved to one or more new storage locations within the backup repository and may reside in the repository for a user-specified retention period until it is finally deleted as scheduled. Another case for deletion is when the initial insertion of the object into the backup server fails. In this case, any partially-written data must also be deleted. In all cases of deletion, any sensitive data must be securely deleted. Unlike logical deletion which minimally only erases references to the actual data location, a secure deletion process also actively obliterates the data where it physically exists in the storage device. Some prior art systems and methods have been developed in the areas of transactional processing in backup systems and secure deletion.
U.S. Pat. No. 6,944,635 by Kim et al., issued Sep. 13, 2005, describes a method for file deletion and recovery against system failures in a database management system comprising steps of deleting files listed in a pending action list during a transaction commit process, writing a non-atomic file deletion as an atomic operation into a log and recovering uncompleted file deletion during restart recovery by using the log. When system failures occur during file deletion in a database management system, resources of which releasing is interrupted by failures are released perfectly through recovery step, so it is advantageous in that coherency of data is maintained and efficiency of storage device arises.
U.S. Pat. No. 5,561,795 by Sarkar, issued Oct. 1, 1996, describes a transaction processing system where audit information for database updates and the status of transactions in process is sequentially written in audit records in an audit file, where the audit file may be used to restore the database to a consistent state following a system failure. The invention decreases the overhead processing required for auditing, and at the same time minimizes the impact the auditing has on the processing time required for restoring the database. A value which references the location in the audit file at which recovery of the database may begin is conditionally updated each time a page of the database which is cached in the main memory of the data processing system is written to non-volatile storage, based upon the position of the earliest written audit record which is associated with the cached page. In addition, when processing of a transaction is complete, the transaction identifier of the oldest incomplete transaction is saved in the audit record for the completed transaction. When restoring the database to a consistent state, the value which is maintained according to the earliest written audit record and the transaction identifier of the oldest incomplete transaction are used as reference points in the audit file to minimize the processing required to restore the database.
U.S. Patent Application Publication No. 2005/0138085 by Verma et al., published Jun. 23, 2005, describes a transactional file system wherein multiple file system operations may be performed as part of a user-level transaction. An application specifies that the operations on a file, or the file system operations of a thread, should be handled as part of a transaction, and the application is given a file handle associated with a transaction context. For file system requests associated with a transaction context, a component within the file system manages the operations consistent with transactional behavior. The component, which may be a resource manager for distributed transactions, provides data isolation by providing multiple versions of a file by tracking copies of pages that have changed, such that transactional readers do not receive changes to a file made by transactional writers, until the transactional writer commits the transaction and the reader reopens the file. The component also handles namespace logging operations in a multiple-level log that facilitates logging and recovery. Page data is also logged separate from the main log, with a unique signature that enables the log to determine whether a page was fully flushed to disk prior to a system crash. Namespace isolation is provided until a transaction commits via isolation directories, whereby until committed, a transaction sees the effects of its own operations not the operations of other transactions. Transactions over a network are also facilitated via a redirector protocol.
U.S. Pat. No. 6,304,948 by Motoyama et al., issued Oct. 16, 2001, describes an approach for storing and maintaining data involving determining whether data has been stored on a first non-volatile storage for a specified period of time. If so, then the data on the first non-volatile storage is deleted by overwriting the data on the first non-volatile storage with a predetermined value so that the data cannot be recovered. The first non-volatile storage is registered with a registration authority to provide authentication of the data maintained on the first non-volatile storage. A duplicate copy of the data is stored on a second non-volatile storage and if a determination is made that the data has been stored on a first non-volatile storage for a specified period of time, then the duplicate copy of the data is deleted by overwriting the duplicate copy of the data on the second non-volatile storage with the predetermined value.
U.S. Pat. No. 5,265,159 by Kung, issued Nov. 23, 1993, describes a method of securely deleting a file on a storage medium of a computer system so that it is not readable, wherein an encryption algorithm is used to encrypt the data in the stored file prior to a conventional deletion process. The invention permits a user to erase files from a permanent storage space and in a manner that makes the file totally unreadable by others. When a user requests deletion of a stored file, the file is encrypted so that it is not readable. The user has an option to undelete the file by decrypting the file as long as this operation is done before the storage space is used by another program. When the secure deletion method is used, no utility program can recover any information from the deleted file. To an intruder, the storage space is encrypted to look like random bits. Therefore, no information can be retrieved nor derived from the encrypted, deleted file. If the user does not expect to undelete the information, a one-way encryption algorithm is used to increase the speed of secure deletion of the file. If the user does not destroy the key, he or she may recover the file. This method restores the file directory pointer to the file, and decrypts the encrypted stored file using the random key to permit access to the data contained in the stored file.
U.S. Pat. No. 6,314,437 by Starek et al., issued Nov. 6, 2001, describes a method and apparatus that enhance file system calls to a file system structure of an operating system. In particular, file system calls can be enhanced to provide real-time secure file deletion on an ongoing basis. A file system call that is intended to perform a function with respect to data stored on a storage device is intercepted. It is then determined whether the file system call is of a type that should be processed. If not, the original file system call is passed on through the file system. If the file system call should be processed, supplemental processing is performed to enhance the original file system call and the file system call is transparently returned to the calling system application. In embodiment, real-time secure file deletion is implemented using a vendor supplied driver (VSD) executing within the installable file system (IFS) of WINDOWS 95. Further, a method and system are disclosed for real-time secure data deletion in a system having an NTFS file system. Read calls are monitored using a read filter and pointers to NTFS metafiles and page files are recognized and stored. Write calls are monitored using a write filter and real-time secure data deletion of buffers is performed. File creation operations are monitored and real-time secure data deletion of user files is performed when the file is to be overwritten. Further, set information operations are monitored and real-time secure data deletion is performed for truncated, shrunk or deleted user files.
U.S. Pat. No. 5,488,720 by Inui, issued Jan. 30, 1996, describes an improved small electronic apparatus such as an electronic organizer. In the apparatus, data to be kept stored is prevented from being erroneously deleted. This apparatus comprises: a memory, a plurality of input keys; a temporary deletion element for, when a first predetermined key operation is performed, setting desired data which is stored in the memory into a temporary deletion state; a deletion element for, when a second predetermined key operation is performed, deleting the data which has been set into the temporary deletion state from the memory; and a release element for, when a third predetermined key operation is performed, releasing the temporary deletion state of the data which has been set into the temporary deletion state.
There is a need for systems and methods for securely deleting data applied in a data backup system. A conventional approach to this problem would be to securely delete the backup data in the same transaction that is performing the delete or move transaction. However, this introduces the additional problem of undoing the changes if the transaction fails. Under the conventional approach, the only way to be able to undo the destruction of the data would be to copy the original data into the transaction log or some other safe location, so that it could be retrieved in the event that the transaction fails. However, this solution is impractical in many situations because the amount of data could easily overwhelm the log and may actually further compromise security by creating yet another copy of the data that must also be securely deleted.
In view of the foregoing, there is a need in the art for systems and methods for securely destroying data applied in a backup system. There is a need for such systems and methods to operate without allowing sensitive data to become accessible notwithstanding any type of failure occurring in the operation of the backup system. Particularly, there is a need for such systems and methods to operate without making additional copies of the original data. The need for techniques which facilitate secure deletion of data objects is more pronounced in the operation of file or backup systems operating over distributed computer networks where a file transaction can fail if any of large number of devices fails. These and other needs are met by the present invention as detailed hereafter.